Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to convert time format?

splunk_enjoyer
Explorer
‎12-08-2022 10:10 PM

Hello Splunk Lovers! i have date format 202211131614220000 and i want convert this format to readble for Splunk

i should use strptime and strftime, but i have some problems. Please, give me prompt

Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-09-2022 03:08 AM

@splunk_enjoyer You need to state your question clearly.  "Have problems" is not a question.  What is the definition of "readable for Splunk"?  Splunk only understands epoch, so strptime is your answer.  The string you illustrated looks like some combination of 4-digit year followed by some representation of month, day, hour, etc.  Such may be obvious to you.  But unless you can tell others what exact format it really is, others can only speculate like @inventsekar did.  If you actually mean "readable by humans," and you don't care whether Splunk can use it to perform calculations based on epoch, you can use string manipulation to do so, e.g., you can do something as crazy as

| eval readable_time = replace(timestamp, "^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})(\d+)", "\1-\2-\3T\4:\5:\6.\7-00:00")

provided the format is 4-digit year, 2-digit month, 2-digit day, 2-digit hour, 2-digit minute, 2-digit second,  4-digit subsecond (like @inventsekar speculated), and the desired output format is something resembling ISO with Zulu time zone.  Remember, it is unfair to make volunteers read your mind.  Make your question as clear as possible.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-08-2022 10:39 PM

Hi @splunk_enjoyer ..

Please check this:

| makeresults | eval timestamp="202211131614220000" 
| eval goodtimestamp = strftime(strptime(timestamp,"%Y%m%d%H%M%S%4Q"),"%m/%d/%Y %H:%M:%S")
|table timestamp goodtimestamp

 

splunk-timestamp.png

Reply

splunk_enjoyer
Explorer
‎12-11-2022 10:54 PM

its works! thanks man!
sorry, i had some problems, take your karma. thanks a lot! 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...